SANS Security Trend Line

There's nothing like nude pictures of celebrities to raise the visibility of a security breach ? the iCloud exposure is the latest to zoom up the Google Trend charts. The underlying problem appears to be that while Apple does offer two-factor authentication for logging into iClouds and for making iTunes purchases, that strong authentication did not extend to all areas of iCloud ? not to backups, for example. So, attackers were able to exploit the usual weak password and weak password reset processes ? using "What you know" questions in password-reset safeguards is pretty silly for people whose dog's mother's maiden name is actually known by millions of fans?

For years, Apple has done a good job making security a baked in feature to their products and services and not taking the "well, users hate security so we won't build it in." Now, earlier on Apple also benefited from simply being able to say "We are not Microsoft" and by having a small enough market share in PCs that the tip of the cybercrime spear was never really pointed at them. That has all changed in the smartphone and tablet markets, and in the cloud services integrated to them. Apple now really is like Microsoft in 2001 ? the big dog in a market, with products and services that are the most direct path for vandals and cybercriminal to reach their targets.

Back in early 2002, then CEO of Bill Gates recognized Microsoft had not taken security seriously and famously sent out a company-wide memo that really did change the focus of product managers and developers at Microsoft. It took a couple of years of Gates denying the problem, blaming the users, etc ? but he finally had an epiphany and got past the denial phase.

Apple CEO Tim Cook's response to the iCloud exposure shows he is firmly entrenched in that denial phase ? stating first that Apple wasn't at fault, but that they would now alert the users when someone accessed their info or changed their password, and would work to "educate" the users more. Way down the stack came Apple focusing on expanding the coverage of two-factor authentication in iCloud, and being more proactive in convincing users to use two factor authentication.

There is an old saying that I just made up: "The fish swims the way the head points." While the days of technology CEO's issuing long, dense company-wide emails to change direction are probably gone, it would be nice to see Apple's CEO push out a few "#IoSSecurity JobOne" tweets or an Instagram picture of Apple product managers issuing the NoMoreReusablePasswords challenge by dumping buckets of hard apple cider on their own heads.

One litmus test I've done over the years: what do you see when you go to http://www.apple.com/security ? Do you see marketing info or security guidance for customers?